© 2000-2008 by PRESECURE® Consulting GmbH

®

Grid-CERT Services

Modification of traditional and additional new CERT Services for Grids

Presentation at the Annual FIRST Conference Vancouver, Canada ‐ June 26, 2008

Antonio Liu

© 2000-2008 by PRESECURE® Consulting GmbHSlide 2 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Outline

1. Background

2. Introduction

3. Some significant Aspects of Grids 

4. Incidents and Incident Priority Lists

5. Traditional CERT Services

6. Modification of traditional CERT Services

7. New Services and a new Service Category

8. Conclusion

© 2000-2008 by PRESECURE® Consulting GmbHSlide 3 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 1. Background

PRESECURE Consulting GmbH

Established in 2000

IT Consulting

Focus on Incident Response, Situational Awareness and Early Warning

Research projects for e.g. EU and BMBF

Close working relations with various CERTs 

e.g. S‐CERT, Siemens CERT, Telekom‐CERT a.o. 

Especially DFN‐CERT

© 2000-2008 by PRESECURE® Consulting GmbHSlide 4 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Background

Presentation based on technical report for and operating experience of the DFN‐CERT

© 2000-2008 by PRESECURE® Consulting GmbHSlide 5 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 2. Introduction

Rapidly increasing number of Grids

Grid‐Security is focused on secure communicationand data transfer

First reports of incidents in Grids

Grids are insecure and the number of incidentswill increase considerably

CERTs – a well proven security management concept can improve the operational security of Grids

© 2000-2008 by PRESECURE® Consulting GmbHSlide 6 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Introduction

D‐Grid initiative started 2005

Six Community Grid projects and one Grid Integration project 

DFN‐CERT was tasked to research securityrelevant aspects

CERT members perspective

Grid community perspective 

Report uses different approach 

© 2000-2008 by PRESECURE® Consulting GmbHSlide 7 / Grid-CERT Services – Annual FIRST Conference 2008

®

Grids

First descriptions of Grid concepts in 90ties

Ian Foster and Carl Kesselmann: „ The Grid: Blueprint for a new Computing Infrastructure“, 1998

Most concepts and techniques developed at universitiesand research labs

Solution to:

Enable complex computation and simulation

Better use of existing ressources

Connection of heterogeneous systems

Provide easy access to computational power and ressources „on demand“

© 2000-2008 by PRESECURE® Consulting GmbHSlide 8 / Grid-CERT Services – Annual FIRST Conference 2008

®

Definition of Grid

Various different definitions

Foster (2003) defines:

„A Grid is a system that:1. Coordinates resources that are not subject to 

centralized control,

2. Using standard, open, general‐purpose protocolsand interfaces,

3. To deliver nontrivial qualities of service.“

© 2000-2008 by PRESECURE® Consulting GmbHSlide 9 / Grid-CERT Services – Annual FIRST Conference 2008

®

Grids – categorized by shared Resources

Computing Grid

Data Grid

Resource Grid

Service Grid

Knowledge Grid

Equipment Grid

© 2000-2008 by PRESECURE® Consulting GmbHSlide 10 / Grid-CERT Services – Annual FIRST Conference 2008

®

Grids – categorized by Purpose and Task

Distributed Computing

Large‐scale Data Analysis

Computer‐in‐the‐Loop Instrumentation

Collaborative Work

Science Portals

© 2000-2008 by PRESECURE® Consulting GmbHSlide 11 / Grid-CERT Services – Annual FIRST Conference 2008

®

Grid Software and Projects

Most established Grid implementations: 

Globus Toolkit 

gLite 

UNICORE (UNiform Interface to COmputing REsources)

Grid Projects and Initiatives: 

D‐Grid 

EGEE/EGEE2 (Enabling Grids for E‐Science

LCG (Large Hadron Collider Grid) 

SETI@home (Search for Extraterrestrial Intelligence at Home)

© 2000-2008 by PRESECURE® Consulting GmbHSlide 12 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 3. Some significant Aspects of Grids

Integration of resources and users from different administrative control domains, with distributed locationsand varied organisational setupCollaborative use of resources Middleware

Functionalities for authentication, authorisation, identification of available and free resources as well as  access to resources

Large software packages e.g. GLOBUS Toolkit has 250 MB of binaries and config files, over 50 server processes after installation

Usage of other opensource software & standardse.g. Apache, OpenSSL, OpenSSH, a.o. 

© 2000-2008 by PRESECURE® Consulting GmbHSlide 13 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Some further Aspects of Grids

User management carried out by each participating domain – Single Sign On

No centralized control of authentication,  authorisation or data transfer – use of proxycertificates

No centralized logging or monitoring

Intransparency wrt where a job was processed or what was processed on a system

© 2000-2008 by PRESECURE® Consulting GmbHSlide 14 / Grid-CERT Services – Annual FIRST Conference 2008

®

4. Incidents

No commonly accepted definition

Enourmous increase of reported incidents and attacks since many years

Possible explanations:

Enourmous increase of hosts

More detection through technical advances

Growth of software increases number of vulnerabilities (estimated average of 2 bugs per 1000 lines of code)

Increasing complexity of software leads 

to increase of configuration errors

© 2000-2008 by PRESECURE® Consulting GmbHSlide 15 / Grid-CERT Services – Annual FIRST Conference 2008

®

Definition for Incident

Tilman Holst defines:

„Event: An event is something observable.

Incident: One or more events, which lead to a violation of an explicit or implied policy.

Attack: An intentional incident.

Accident: An unintentional incident.“

© 2000-2008 by PRESECURE® Consulting GmbHSlide 16 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Incidents – categorized by technical nature

(1) Scan

(2) Compromise

(3) Sniffer

(4) Abuse

(5) DoS

(6) Virus

(7) Trojan

(8) Spam

(9) Social engineering

(10) Warez

(11) Bot

(12) Botnet‐CC

(13) Account probe

(14) Phishing site

(15) Attempt

(16) Malware hosting

(17) Defacement

(0) Other

© 2000-2008 by PRESECURE® Consulting GmbHSlide 17 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Incidents – categorized by threat level

Priority 1 – Threat to life and limbPriority 2 – Threat to network infrastructurePriority 3 – Threat through automated widespread attacksPriority 4 – Threat through compromise on system/root levelPriority 5 – Threat to availability of certain servicesPriority 6 – Threat through compromise on account/user levelPriority 7 – Threat through theft of dataPriority 8 – Threat through further attacksPriority 9 – Threat through other trivial attacks

© 2000-2008 by PRESECURE® Consulting GmbHSlide 18 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 4. Incident Priority List

Examples for incident categories

Priority Examples

1 Life and health threatening attacks (Hospital nets etc.)

Attack on net infrastructure (Router, DNS‐Server etc.)2

Attack on the DFN‐CERT network

Worms (e.g. Nimda)3

Report about DDoS‐Handler or DDoS‐IRC‐Channel

Sniffer‐installation

Theft of particularly secured data

Other particularly secured data

Root‐Compromise

Root‐Compromise with logs

Report about DDoS‐Agents

DDoS‐Reports in general

5 SPAM‐DoS (falsified headers “From:”)

4

© 2000-2008 by PRESECURE® Consulting GmbHSlide 19 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Incident Priority List

Priority Examples

Account‐Compromise (Non‐Root, single case)

Open mail relay

DoS attack

Theft of data (e.g. /etc/passwd etc.)7

Phishing

Unsuccessful login attempts8

Port scans

NMAP‐Scans (general port scan)

Unsuccessful cgi‐bin/phf attack

TFTP‐Attempt

DHCP‐Attempt

SPAM (single case)

Fake mails (single case)

FTP‐Abuse (Swap‐Site)

Virus problems

9

6

© 2000-2008 by PRESECURE® Consulting GmbHSlide 20 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Modified Incident Priority List

Priority Examples

1 Life and health threatening attacks (Hospital nets etc.)

Attack on net infrastructure (Router, DNS‐Server etc.)2

Attack on the DFN‐CERT network

Worms (e.g. Nimda)

Report about DDoS‐Handler or DDoS‐IRC‐Channel

Attack on Grid‐Server/Application including DDoS‐Reports

Sniffer‐Installation

Theft of particularly secured data

Other particularly secured data

User/Root‐Compromise

User/Root‐Compromise with logs

Report about DDoS‐Agents

DDoS‐Reports in general

5 SPAM‐DoS (falsified headers “From:”)

4

3

© 2000-2008 by PRESECURE® Consulting GmbHSlide 21 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Modified Incident Priority List

Priority Examples

Open mail relay

DoS attack

Theft of data (e.g. /etc/passwd etc.)

Phishing7

Unsuccessful login attempts

Port scans8

NMAP‐Scans (general Port Scan)

Unsuccessful cgi‐bin/phf attack

TFTP‐Attempt

DHCP‐Attempt

SPAM (single case)

Fake Mails (single case)

FTP‐Abuse (Swap‐Site)

Virus problems

9

6

© 2000-2008 by PRESECURE® Consulting GmbHSlide 22 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 5. Traditional CERT Services

© 2000-2008 by PRESECURE® Consulting GmbHSlide 23 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 6. Modification of CERT Services

Traditional 

CERT Services

Relevance in Grid Environment

Practical Applikation / Use in Grid Environment

Requirements

Incident Handling

Fundamentally important (++)

Needs modification (0) Some necessary preparation / preliminary work  (0)

Alerts and Warnings

Fundamentally important (++)

Needs modification (0) Some necessary preparation / preliminary work  (0)

Vulnerability Handling

Valuable (+) Needs minor modification (+)

Some necessary preparation / preliminary work  (0)

Artifact Handling

Limited value (0) Needs minor modification (+)

Brief preparation / preliminary work (+)

Forensic Analysis

Limited value (0) Hardly feasible (‐) Extensive preparation / preliminary work (‐)

Reactive

© 2000-2008 by PRESECURE® Consulting GmbHSlide 24 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Modification of CERT Services

Traditional 

CERT Services

Relevance in Grid Environment

Practical Applikation / Use in Grid Environment

Requirements

Announcements Valuable (+) Needs modification (0) Some necessary preparation/ preliminary work  (0)

Development of Security Tools

Fundamentally import(++)

Needs modification (0) Extensive preparation / preliminary work  (‐)

Configuration and Maintenance of Security Tools, Applications and Infrastructures

Valuable (+) Needs modification (0) Extensive preparation / preliminary work  (‐)

Intrusion Detection Services

Valuable (+) Needs modification (0) Extensive preparation / preliminary work  (‐)

Security Audits and Assessments

Limited value (0) Needs modification (0) Extensive preparation / preliminary work  (‐)

Security‐related Information Dissemination

Valuable (+) No modification necessary (++)

None (++)

Technology Watch Valuable (+) No modification necessary (++)

None (++)

Trend and Neighbourhood Watch

Valuable (+) Needs minor modification (+)

Some necessary preparation/ preliminary work  (0)

Pro‐active

© 2000-2008 by PRESECURE® Consulting GmbHSlide 25 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Modification of CERT Services

Traditional 

CERT Services

Relevance in Grid Environment

Practical Applikation / Use in Grid Environment

Requirements

Awareness Building Valuable (+) Minor modification (+) Some necessary preparation / preliminary work (0)

Business Continuity and Disaster Recovery Planning

Valuable (+) Needs modification (0) Extensive preparation/ preliminary work  (‐)

Education and Training

Valuable (+) Minor modification (+) Some necessary preparation / preliminary work (0)

Product Evaluation and Certification

Secondary (‐) Minor modification (+) Extensive preparation/ preliminary work  (‐)

Risk Analysis Limited value (0) Needs modification (0) Some necessary preparation / preliminary work (0)

Security Consulting Valuable (+) Minor modification (+) Brief preparation / preliminary work (+)

Security Quality Management Services

© 2000-2008 by PRESECURE® Consulting GmbHSlide 26 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 7. New Services and Service Category

Preparation  and  Enforcement  of  AUPs  and Security PoliciesEnforcement of certain QualitiesClearinghouse for Monitoring Data Setup and Maintenance of the Grid‐PKIMonitoring and Verification of CertificatesFirewall Checks

⇒Infrastructure Services⇒Improves reliability and integrity

© 2000-2008 by PRESECURE® Consulting GmbHSlide 27 / Grid-CERT Services – Annual FIRST Conference 2008

®

* 8. Conclusion

A Grid‐CERT is a valuable security management concept for Grids

CERTs should work closely together with Grid community and developers of Grid software

CERTs must accept and understand that Grids have different characteristics and needs than usual constituency

Traditional CERT Services have to be modified

Especially new Infrastructure Services would provide valuable additions

© 2000-2008 by PRESECURE® Consulting GmbHSlide 28 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Conclusion

The new Infrastructures Services are also valuablefor traditional CERTs

It is recommended to establish Grid‐PSIRTs

There should be:

One Grid‐PSIRT for every Grid software and one Grid‐CERT for every Grid community!

© 2000-2008 by PRESECURE® Consulting GmbHSlide 29 / Grid-CERT Services – Annual FIRST Conference 2008

®

* Contact details

Antonio Tung‐Wang Liu

Email: al@pre‐secure.de

Tel.: +49 40 808077 888